Firmware Security Lags as IoT Devices Proliferate

As the era of automation and the Internet of Things (IoT) continues to dawn, businesses are seeing a marked increase in connected devices as part of their hardware footprint. Yet most businesses don’t have comprehensive programs in place to address firmware vulnerabilities.

Firmware, the hard-coded software frequently stored in read-only memory (ROM), is increasingly the subject of inventive attack methods from cyber-criminals, according to cybersecurity association ISACA. As such, organizations should adopt a security-first approach to how businesses view hardware lifecycle management, rather than treating it as a purely operational concern.

Such an approach pays off: ISACA research reveals that more than half (52%) of the study’s participants who place a priority on security within hardware life cycle management report at least one incident of malware-infected firmware being discovered, with 17% of these incidents having a material impact.

In contrast, those who do not prioritize security in the hardware life cycle process have a high rate of unknown malware occurrences (73%). This indicates that many vulnerabilities may remain undetected and unpatched, creating security risks.

This lack of knowledge is having an impact on confidence too, with 71% of respondents in this category (low security priority) feeling unprepared to deal with a cyber-attack.

“We are seeing more and more that firmware security is no longer a theoretical problem,” said Justine Bone, director and CEO, MedSec, who will discuss the topic and present the findings of the report at all three of ISACA’s Cybersecurity Nexus (CSX) conferences. “The evidence is showing us that attackers are targeting firmware—many breaches and vulnerability discoveries these days can be attributed to firmware problems. Solutions are emerging, but most enterprise environments remain unprepared. While it’s clear that knowledge is power in this instance, it’s also evident from this research that company culture and overall attitude to security is a major contribution to vulnerability.”

According to the survey, 63% of the individuals who consider their organizations to be fully compliant with firmware audits reported higher levels of effectiveness of their patch management processes. On the other side, more than half of those who didn’t receive any feedback (51%) in this audit category had no controls for firmware integrity monitoring and flaw remediation.

“With firmware maintenance being considered an operations function rather than a security concern, the chance for exploited vulnerabilities persists,” said Christos Dimitriadis, chair of ISACA’s board of directors and group director of information security for INTRALOT. “It is time to underline the importance of firmware security in our risk assessments and embed prioritized controls based on the threat model of each organization, whether this includes espionage, transaction integrity loss or business disruption.”